Attackers are actively targeting ConnectWise ScreenConnect, a widely used remote maintenance software, prompting warnings from cybersecurity authorities. Teh U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert in early June regarding ongoing attacks exploiting vulnerabilities in the software. Simultaneously, ConnectWise disclosed a seperate security incident involving state-sponsored attackers gaining access too its own network.
The attacks leverage multiple vectors,including exploiting software vulnerabilities and employing spear-phishing campaigns. CISA’s warning, issued around June 6th, highlighted the active exploitation of ScreenConnect. On the same day, ConnectWise confirmed a breach of its systems by a nation-state actor, indicating a complex and targeted attack.
Security recommendations emphasize strengthening access controls to mitigate risk. Organizations are advised to restrict ScreenConnect administrative access to managed devices within their habitat. Implementing FIDO2/WebAuthn authentication for ScreenConnect access is also recommended as a defense against phishing attacks. Further optimizations to security configurations are being analyzed and proposed.
The dual nature of the attacks - exploiting software flaws *and* directly targeting the vendor – underscores the severity of the threat. The state-sponsored breach at ConnectWise raises concerns about potential supply chain compromises and the possibility of attackers gaining access to customer data or deploying malicious updates.
ConnectWise has been working to address the security incidents and provide guidance to its customers. The company has released security updates and is collaborating with law enforcement and cybersecurity experts to investigate the attacks.Organizations using screenconnect are urged to review CISA’s advisory and implement the recommended security measures promptly.
Indicators of Compromise (IOCs) related to these attacks are being actively tracked and shared within the cybersecurity community. Proactive monitoring and threat hunting are crucial for detecting and responding to potential intrusions. The incident serves as a reminder of the importance of robust security practices, including strong authentication, regular software updates, and proactive threat intelligence.
